By: Vedant Jain
June 24, 2020
Introduction to TLS 1.3
By: Vedant Jain
June 24, 2020
Introduction to TLSv-1.3
It's officially getting the Green Signal by the IETF (Internet Engineering Task Force), and it contains major improvements within the following three areas:
- Area of Privacy (Focused).
- Area of Performance.
- Area of Security.
Let's look at each one.
Unlike with TLSv-1.2, there appears to be some built-in motivation to upgrade, particularly with the Performance Booster, which in itself will perk up the ears of just about every security professional.
The biggest improvements from TLSv-1.3 are mostly positive, but the improved encryption also makes it harder to identify the malicious traffic and defend against attacks hidden within the encrypted traffic.
TLSv-1.2 vs TLSv-1.3
The previous version, TLS 1.2, was arrived at RFC 5246, and from now, it has been used in most of the web browsers. The IETF is the official group assigned to define the TLS Protocols (which have suffered from various iterations). On March 21, 2018, TLSv-1.3 was finalized by the IETF in 28 Drafts. The Final Version was published in August 2018 under RFC 8446.
What's New in TLSv-1.3
TLSv-1.3 has offered some amazing improvements over the TLSv-1.2. Vulnerable optional parts of the protocol removed are:
- Key Exchange – RSA
- Encryption algorithms: – RC4, 3DES, Camellia
- Cryptographic Hash algorithms: – MD5, SHA-1
- Cipher Modes: – AES-CBC
- Other features: – TLS Compression & Session Renegotiation
– DSA Signatures (ECDSA ≥ 224 bit) – ChangeCipherSpec message type & "Export" strength ciphers – Arbitrary/Custom (EC)DHE groups and curves
They highly support stronger ciphers required to implement Perfect Forward Secrecy (PFS), and thus the handshake process has been significantly shortened.
To Implement TLSv-1.3 is relatively simple. We will use an equivalent key we used for TLSv-1.2. Servers and Client will automatically be adjusted to a TLSv-1.3 handshake once they both support it. Google Chrome and Mozilla Firefox already support TLSv-1.3 by Default.
Benefits in the Area of Privacy in TLSv-1.3
The privacy benefits of TLS-1.3 also enable Perfect Forward Secrecy. PFS is a cryptographic technique that ensures that only two endpoints can decrypt the traffic by adding another layer of confidentiality to an encrypted session. With Perfect Forward Secrecy, if 3rd parties were to record an encrypted session, and later gain access to the server private key, they may not use that key to decrypt the session.
Benefits in the Area of Performance in TLSv-1.3
Performance benefits with reference to performance, TLS 1.3 cuts the encryption latency in half by shaving a whole trip from the connection establishment handshake. In addition, another advantage is when accessing a site you've got previously visited, you'll now send data on the primary message to the server. This can often be called a "zero trip time" (0-RTT).
Benefits in the Area of Security under TLSv-1.3
While TLSv-1.2 is often deployed securely, several high-profile vulnerabilities have exploited optional parts of the protocol and outdated ciphers. TLSv-1.3 removes many of the choices those create a drag and only include support for algorithms with no known vulnerabilities (as of this writing)
The IETF decided to drop all of the ciphers that don't support PFS from TLS handshake Connections. These include DES, AES-CBC, RC4, and other ciphers that are less useful.
The TLSv-1.3 also drops the power required to perform what's referred to as "renegotiation," which allows a client and server, that have already gotten a TLS connection, to barter new parameters, generate new keys, etc. When renegotiation is eliminated, a window of opportunity for an attack is closed.
TLSv-1.2 Handshake TLSv-1.3 Handshake
Benefits of Speed in TLSv-1.3
TLS and Encrypted Handshake will always add a slight overhead when it comes to web application performance. In this scenario, HTTP/2 has the solution to deal with it. But TLSv-1.3 helps us to speed up the Encrypted Handshake Connections with more great features such as TLS False Start and 0-RTT (Zero Round Trip Time).
Technology is also outdated over time. Everything needs to be upgraded as time moves on. Similarly, with HTTP/2, TLSv-1.3 is the newest update protocol of TLS, which will benefit users for years to come. Not only will the Encrypted Handshake Connections be faster, but in fact, the security protocols will be more secure to maintain our privacy in the world of the Web.